Summary

The _smoothed_price function relies on block.timestamp, which miners can manipulate within protocol limits. This introduces risks of price calculation inaccuracies and potential exploitation, undermining the oracle’s reliability.

Vulnerability Details

• The _smoothed_price function uses block.timestamp (set by miners) for critical time-dependent calculations.

• Miners can manipulate this timestamp within a small window (e.g., ±15 seconds on Ethereum), introducing inaccuracies or exploitation risks.

Example Scenario:

• A miner submits a block with a timestamp 15 seconds ahead of real time.

• The _smoothed_price function calculates price changes as if 15 extra seconds passed, distorting the smoothed value.

• Attackers could exploit this to trigger undesired liquidations, trades, or arbitrage.

Impact

1. Manipulated Price Smoothing:

   • Miners can tweak timestamps by ±15 seconds (Ethereum) to distort time intervals used in price smoothing.

   • Example: A miner sets a future timestamp to simulate faster price acceleration, enabling front-running or unfair arbitrage.

2. Financial Losses:

   • Incorrect price feeds may trigger faulty liquidations, trades, or collateral adjustments, causing user/protocol losses.

Tools Used

Manual Code Review

Recommendations

Use a Decentralized Timestamp Oracle-

Replace block.timestamp with a decentralized oracle like Chainlink’s Timestamp Feed for critical calculations.